Column

Security Blog Log: Surprise! IE 7 beta has a flaw

--------------------------------------------------------------------------------------------------------

Microsoft Chairman Bill Gates unveiled plans for Internet Explorer 7 (IE 7) at last year's RSA Security conference, promising that the industry's dominant Web browser would have

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

more security muscle to fight phishing, malware and spyware. Since then, IE 7 has undergone a long period of beta testing.

Tuesday, the software giant finally released a beta version to the public, meant primarily for developers and tech enthusiasts. It didn't take security pros long to start buzzing about it in the blogosphere. And it didn't take long for the flaw-finders to uncover a security hole the digital underground could exploit for malicious purposes.

"I figured I would give it a quick look and I just happened to find something within the first 15 minutes [of] testing," vulnerability researcher Tom Ferris said in his Security Protocols blog. "So you are probably thinking, why release an advisory on a beta product? Well, why not? It's Microsoft, right?"

Ferris included a link to his detailed analysis on the flaw, saying attackers could use a specially crafted HTML file to crash the browser or launch malicious code.

That prompted some bloggers to wonder if they should wait awhile longer before taking the browser for a spin.

"Well, it didn't even take 24 hours for someone to find the first vulnerability in Internet Explorer 7 Beta 2," network professional Martin McKeay said in his Network Security blog. "And here I was, contemplating installing IE 7 to play with. Maybe I'll wait until Beta 3 or 4."

Tony Chor, a program manager on Microsoft's IE team, addressed Ferris' findings in the software giant's IE blog.

"Naturally, we take the security of IE and our users' safety very seriously, so we investigated immediately," he said. "We did confirm that the bug crashes IE. However, we did not find that the bug was exploitable by default to elevate privilege and run arbitrary code."

Chor said Microsoft had already found the glitch during the code review and analysis that is "a mandatory part of our development process. It was scheduled to be fixed before our next public release."

People have grown accustomed to criticizing Microsoft and its security practices, and many agree that the software giant has deserved it to a large extent. After all, prior versions of IE, including version 6, have proven to be full of security holes attackers have exploited successfully on many occasions. Customers have gotten used to seeing a cumulative patch for the browser every few months.

That's why open source browsers like Firefox are all the rage today, even though those browsers have flaws, too.

But in recent years, the vendor has also shown that it's taking security a lot more seriously. Proof of that can be found in such offerings as Windows XP SP2, AntiSpyware and OneCare Live. Each product has its critics and there's no doubt Microsoft has been playing catch-up on its security. Ultimately, it seems to be moving in the right direction.

Some may still get discouraged by reports of flaws in IE 7, but it's important to remember that it's still in beta and that glitches are to be expected. The public beta is meant to be picked apart by researchers like Ferris.

The more picking the professionals do now, the more secure the browser will be when it emerges from beta.

Those who want to download the beta can do so here. And while Google and others have generalized the term beta to often mean any software that may be updated or changed later, Microsoft specifically intends this beta to be for testing only. It isn't meant to be installed on a typical user's computer as a replacement browser.